Abstract

In this paper we present an improved algorithm for finding low-weight multiples of polynomials over the binary field using coding theoretic methods. The associated code defined by the given polynomial has a cyclic structure, allowing an algorithm to search for shifts of the sought minimum-weight codeword. Therefore, a code with higher dimension is constructed, having a larger number of low-weight codewords and through some additional processing also reduced minimum distance. Applying an algorithm for finding low-weight codewords in the constructed code yields a lower complexity for finding low-weight polynomial multiples compared to previous approaches. As an application, we show a key-recovery attack against Open image in new window that has a lower complexity than the chosen security level indicate. Using similar ideas we also present a new probabilistic algorithm for finding a multiple of weight 4, which is faster than previous approaches. For example, this is relevant in correlation attacks on stream ciphers.

Mathematics Subject Classification

Notes

Acknowledgments

We would like to thank the anonymous reviewers in the submission to DCC and WCC for their valuable and insightful comments that helped improve the manuscript. We also want to thank Martin Ågren for helping out with the initial implementation of the algorithm described in Sect. 6. This research was funded by a grant (621-2009-4646) from the Swedish Research Council.

Appendix: Proof of Proposition 1

The complexity function \(C^*\) refers to the expected complexity of running Algorithm 1 with an instance where we have one single solution, i.e., only one codeword of weight \(w\) exists in the code, whereas in the case of LWPMb, there will exist several weight \(w\) codewords. Having \(y+1\) possible solutions instead of one suggests that finding at least one is roughly \(y+1\) times more likely. However, for this to be true, the probability \(\xi \) of finding one single codeword in one iteration must be small. In particular, we require that \(y\xi \ll 1\). Secondly, we require the events of finding the shifted low-weight codewords to be independent of each other.

Let the set of solutions, i.e., the set of shifts of \(K(x)\) represented as vectors, be the rows of the matrix

constitute two rows of the first \(r\) columns of \(\pi (\mathbf{{K}} \mathbf{{\Gamma }})\) for some \(j\) such that \(1 \le j \le y\) and where each \(k_i\) is an i.i.d. random variable. Note that the indices are taken modulo \(d\). For a codeword \(\mathbf{{k}}\) to be considered as a possible solution in one iteration of Algorithm 1, a necessary but not sufficient condition is that \(\mathbf{{k}}\) can have at most \(2p\) nonzero elements in the first \(r\) columns. We want to show that these two events are approximately independent. We provide some informal argument. A more formal derivation would require quite some space, which we avoid.

The set of indices \(\{i_1, i_2,\ldots , i_{r}\}\) are chosen uniformly in the permutation. As a consequence, there is a non-zero probability that \(\{i_1, i_2,\ldots , i_r\}\cap \{i_{1}-j, i_{2}-j,..., i_{r}-j\}\ne \emptyset \), meaning that one or several random variables in \(\mathbf{{k}}\) and \(\mathbf{{k}}'\) are identical. More specifically, we have

common indices in \(\{i_1, i_2,\ldots , i_{r}\}\) and \(\{i_{1}-j, i_{2}-j,..., i_{r}-j\}\) on average. The probability of having \(i\) overlapping variables describes the probability function of a hypergeometric distribution, i.e.,

Hence, if \(w \left( 1-\frac{d_P}{d}\right) \gg 2p\) then the expected value is significantly larger than \(2p\). If so, \(A_1\) is very unlikely to take a value below or equal to \(2p\) and, thus, we argue that the events of finding the shifted codewords are approximately independent.

Under the two conditions \(y \xi \ll 1\) and \(w \left( 1-\frac{d_P}{d}\right) \gg 2p\), we can conclude that the probability of finding at least one out of \(y+1\) codewords is \(1-(1-\xi )^{y+1} \approx (y+1) \xi \), since all codewords are equally likely to be found. Moreover, the complexity \(C^*\) is \(\mathcal {O}\left( \xi ^{-1}\right) \) and therefore Algorithm 2 has complexity \(\mathcal {O}\left( (y+1)^{-1}\xi ^{-1}\right) \). This concludes the proof of Proposition 1.